Analysis

  • max time kernel
    173s
  • max time network
    204s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2023, 14:32 UTC

General

  • Target

    Activator/Activator.cmd

  • Size

    6KB

  • MD5

    dc603dbdb0818d657710bd9a1d6f4dc1

  • SHA1

    31cded88de90b948a10e7e7c9cb474d1434d1daa

  • SHA256

    13f30eebeda0ddda8eed126a1c7026c27cf88930d0f2a736a8375f913de27d34

  • SHA512

    64cd9fdd6f15f0fbd02d5db16d5b6ac1d7ae07ff83dd8891d561391937c7034c34298174f5a165747afa8f9bd289955d388be0c4b62b8136a2b512561ad760a3

  • SSDEEP

    96:iwprDba0kIEaiFlq4BwguGDukcF8zhPpi+4yH6dv7F0tvsmGv26FdJv30i0/Bf/f:6I2PqaTLePyH0v7QvsRvvpv3HriKFby

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
  • Modifies Windows Firewall 1 TTPs 4 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Stops running service(s) 3 TTPs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Windows directory 7 IoCs
  • Launches sc.exe 6 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Creates scheduled task(s) 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Activator\Activator.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Windows\system32\schtasks.exe
      schtasks /create /f /xml "C:\Users\Admin\AppData\Local\Temp\Activator\ActivationNextBoot.xml" /TN "ActivationNextBoot"
      2⤵
      • Creates scheduled task(s)
      PID:2676
    • C:\Windows\system32\cscript.exe
      CSCRIPT C:\Windows\system32\slmgr.vbs -dli
      2⤵
        PID:2816
      • C:\Windows\system32\findstr.exe
        FINDSTR "Licensed ½¿µÑ¡º¿ε"
        2⤵
          PID:2800
        • C:\Windows\system32\reg.exe
          REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
          2⤵
            PID:2564
          • C:\Windows\system32\findstr.exe
            FINDSTR /i 7
            2⤵
              PID:2548
            • C:\Windows\system32\findstr.exe
              FINDSTR "VOLUME_KMSCLIENT"
              2⤵
                PID:1792
              • C:\Windows\system32\cscript.exe
                CSCRIPT C:\Windows\system32\slmgr.vbs -dli
                2⤵
                  PID:1580
                • C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAUTO.EXE
                  "C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAuto.exe" /ofs=act /ofs=conv /ofsgvlk=inst /sched=ofs
                  2⤵
                  • Sets service image path in registry
                  • Loads dropped DLL
                  • Drops file in Windows directory
                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                  • Suspicious use of WriteProcessMemory
                  PID:780
                  • C:\Windows\system32\cmd.exe
                    "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
                    3⤵
                      PID:1448
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /KEY:OFS
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2632
                      • C:\Windows\system32\cscript.exe
                        cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /KEY:OFS
                        4⤵
                          PID:2856
                      • C:\Windows\system32\cmd.exe
                        "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
                        3⤵
                          PID:1492
                        • C:\Windows\system32\cmd.exe
                          "C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /end /TN KMSAuto
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:2188
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /end /TN KMSAuto
                            4⤵
                              PID:2028
                          • C:\Windows\system32\cmd.exe
                            "C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /delete /TN KMSAuto /F
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2008
                            • C:\Windows\system32\schtasks.exe
                              schtasks.exe /delete /TN KMSAuto /F
                              4⤵
                                PID:1240
                            • C:\Windows\system32\cmd.exe
                              "C:\Windows\Sysnative\cmd.exe" /c schtasks.exe /create /TN KMSAuto /XML C:\Windows\KMSAuto.xml
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:2228
                              • C:\Windows\system32\schtasks.exe
                                schtasks.exe /create /TN KMSAuto /XML C:\Windows\KMSAuto.xml
                                4⤵
                                • Creates scheduled task(s)
                                PID:1260
                            • C:\Windows\system32\cmd.exe
                              "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSAuto "C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp" /Y
                              3⤵
                                PID:856
                              • C:\Windows\system32\cmd.exe
                                "C:\Windows\Sysnative\cmd.exe" /c bin.dat -y -pkmsauto
                                3⤵
                                  PID:2348
                                  • C:\Windows\Temp\KMSAuto\bin.dat
                                    bin.dat -y -pkmsauto
                                    4⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    PID:2336
                                • C:\Windows\system32\cmd.exe
                                  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
                                  3⤵
                                    PID:2208
                                    • C:\Windows\system32\netsh.exe
                                      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
                                      4⤵
                                      • Modifies Windows Firewall
                                      PID:2944
                                  • C:\Windows\system32\cmd.exe
                                    "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
                                    3⤵
                                      PID:2272
                                      • C:\Windows\system32\netsh.exe
                                        Netsh.exe Advfirewall Firewall add rule name=0pen_Port_KMS dir=in action=allow protocol=TCP localport=1688
                                        4⤵
                                        • Modifies Windows Firewall
                                        PID:2408
                                    • C:\Windows\system32\cmd.exe
                                      "C:\Windows\Sysnative\cmd.exe" /c sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
                                      3⤵
                                        PID:1988
                                        • C:\Windows\system32\sc.exe
                                          sc.exe create KMSEmulator binpath= temp.exe type= own start= auto
                                          4⤵
                                          • Launches sc.exe
                                          PID:1824
                                      • C:\Windows\system32\cmd.exe
                                        "C:\Windows\Sysnative\cmd.exe" /c sc.exe start KMSEmulator
                                        3⤵
                                          PID:2300
                                          • C:\Windows\system32\sc.exe
                                            sc.exe start KMSEmulator
                                            4⤵
                                            • Launches sc.exe
                                            PID:288
                                        • C:\Windows\system32\cmd.exe
                                          "C:\Windows\Sysnative\cmd.exe" /c bin_x64.dat -y -pkmsauto
                                          3⤵
                                            PID:988
                                            • C:\Windows\Temp\KMSAuto\bin_x64.dat
                                              bin_x64.dat -y -pkmsauto
                                              4⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                              PID:1144
                                          • C:\Windows\system32\cmd.exe
                                            "C:\Windows\Sysnative\cmd.exe" /c route.exe -p add 75.0.80.11 0.0.0.0 IF 1
                                            3⤵
                                              PID:804
                                              • C:\Windows\system32\ROUTE.EXE
                                                route.exe -p add 75.0.80.11 0.0.0.0 IF 1
                                                4⤵
                                                  PID:296
                                              • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe
                                                "FakeClient.exe" 75.0.80.11
                                                3⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                • Drops file in Windows directory
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1756
                                              • C:\Windows\system32\cmd.exe
                                                "C:\Windows\Sysnative\cmd.exe" /c cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /ADR:75.0.80.11 /PRT:1688 /PWN:1688 /P10:1688 /P13:1688 /ACT:OFS
                                                3⤵
                                                  PID:332
                                                  • C:\Windows\system32\cscript.exe
                                                    cscript.exe C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs //NoLogo /ADR:75.0.80.11 /PRT:1688 /PWN:1688 /P10:1688 /P13:1688 /ACT:OFS
                                                    4⤵
                                                      PID:2120
                                                  • C:\Windows\system32\cmd.exe
                                                    "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop KMSEmulator
                                                    3⤵
                                                      PID:1316
                                                      • C:\Windows\system32\sc.exe
                                                        sc.exe stop KMSEmulator
                                                        4⤵
                                                        • Launches sc.exe
                                                        PID:1076
                                                    • C:\Windows\system32\cmd.exe
                                                      "C:\Windows\Sysnative\cmd.exe" /c sc.exe delete KMSEmulator
                                                      3⤵
                                                        PID:1916
                                                        • C:\Windows\system32\sc.exe
                                                          sc.exe delete KMSEmulator
                                                          4⤵
                                                          • Launches sc.exe
                                                          PID:1608
                                                      • C:\Windows\system32\cmd.exe
                                                        "C:\Windows\Sysnative\cmd.exe" /c route delete 75.0.80.11 0.0.0.0
                                                        3⤵
                                                          PID:2044
                                                          • C:\Windows\system32\ROUTE.EXE
                                                            route delete 75.0.80.11 0.0.0.0
                                                            4⤵
                                                              PID:2708
                                                          • C:\Windows\system32\cmd.exe
                                                            "C:\Windows\Sysnative\cmd.exe" /c taskkill.exe /t /f /IM FakeClient.exe
                                                            3⤵
                                                              PID:1716
                                                              • C:\Windows\system32\taskkill.exe
                                                                taskkill.exe /t /f /IM FakeClient.exe
                                                                4⤵
                                                                • Kills process with taskkill
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2908
                                                            • C:\Windows\system32\cmd.exe
                                                              "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop WinDivert1.1
                                                              3⤵
                                                                PID:1380
                                                                • C:\Windows\system32\sc.exe
                                                                  sc.exe stop WinDivert1.1
                                                                  4⤵
                                                                  • Launches sc.exe
                                                                  PID:3004
                                                              • C:\Windows\system32\cmd.exe
                                                                "C:\Windows\Sysnative\cmd.exe" /c sc.exe delete WinDivert1.1
                                                                3⤵
                                                                  PID:2032
                                                                  • C:\Windows\system32\sc.exe
                                                                    sc.exe delete WinDivert1.1
                                                                    4⤵
                                                                    • Launches sc.exe
                                                                    PID:2700
                                                                • C:\Windows\system32\cmd.exe
                                                                  "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
                                                                  3⤵
                                                                    PID:2572
                                                                    • C:\Windows\system32\netsh.exe
                                                                      Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS protocol=TCP
                                                                      4⤵
                                                                      • Modifies Windows Firewall
                                                                      PID:2852
                                                                  • C:\Windows\system32\cmd.exe
                                                                    "C:\Windows\Sysnative\cmd.exe" /c Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
                                                                    3⤵
                                                                      PID:1836
                                                                      • C:\Windows\system32\netsh.exe
                                                                        Netsh.exe Advfirewall Firewall delete rule name=0pen_Port_KMS2 protocol=TCP
                                                                        4⤵
                                                                        • Modifies Windows Firewall
                                                                        PID:2548
                                                                  • C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\Wait.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\Wait.exe"
                                                                    2⤵
                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:1192
                                                                  • C:\Windows\system32\schtasks.exe
                                                                    schtasks /create /f /xml "C:\Users\Admin\AppData\Local\Temp\Activator\KMSAuto\KMSAutoOffice.xml" /TN "KMSAuto"
                                                                    2⤵
                                                                    • Creates scheduled task(s)
                                                                    PID:1580
                                                                • C:\Windows\Temp\KMSAuto\bin\KMSSS.exe
                                                                  "C:\Windows\Temp\KMSAuto\bin\KMSSS.exe" -Port 1688 -PWin 05426-00206-471-254040-03-1049-14393.0000-2242016 -PO14 RandomKMSPID -PO15 RandomKMSPID -PO16 RandomKMSPID -AI 43200 -RI 43200 KillProcessOnPort -Hwid DD279A0090B8D83E
                                                                  1⤵
                                                                  • Executes dropped EXE
                                                                  PID:1232

                                                                Network

                                                                  No results found
                                                                • 75.0.80.11:1688
                                                                • 75.0.80.11:1688
                                                                  52 B
                                                                  1
                                                                No results found

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Users\Admin\AppData\Local\Temp\KMSAuto.tmp

                                                                  Filesize

                                                                  3KB

                                                                  MD5

                                                                  b1d1b96a65ea2720588fc42787287f0a

                                                                  SHA1

                                                                  c4f6ee33e424e8136aad018b13b154b35de4a52f

                                                                  SHA256

                                                                  0ec31708eb1cd663ceca69188f9e1df3538d424ec7bec05a17271faa49b7cccc

                                                                  SHA512

                                                                  f516dcc2b6ccd5ed0b7958080fec7560f6e8abd34a4a837b8c815325e01448f15ef1350a04c45d2d9712351ed969f7c2e8d77a900a9e0a8f605330577b88e1e2

                                                                • C:\Windows\KMSAuto.xml

                                                                  Filesize

                                                                  3KB

                                                                  MD5

                                                                  b1d1b96a65ea2720588fc42787287f0a

                                                                  SHA1

                                                                  c4f6ee33e424e8136aad018b13b154b35de4a52f

                                                                  SHA256

                                                                  0ec31708eb1cd663ceca69188f9e1df3538d424ec7bec05a17271faa49b7cccc

                                                                  SHA512

                                                                  f516dcc2b6ccd5ed0b7958080fec7560f6e8abd34a4a837b8c815325e01448f15ef1350a04c45d2d9712351ed969f7c2e8d77a900a9e0a8f605330577b88e1e2

                                                                • C:\Windows\Temp\KMSAuto\bin.dat

                                                                  Filesize

                                                                  166KB

                                                                  MD5

                                                                  ca62d4125a24ea98f90b8d7b7c92801b

                                                                  SHA1

                                                                  72f50ecc667713b8f357a048a6f621664fd1e361

                                                                  SHA256

                                                                  9c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75

                                                                  SHA512

                                                                  ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2

                                                                • C:\Windows\Temp\KMSAuto\bin.dat

                                                                  Filesize

                                                                  166KB

                                                                  MD5

                                                                  ca62d4125a24ea98f90b8d7b7c92801b

                                                                  SHA1

                                                                  72f50ecc667713b8f357a048a6f621664fd1e361

                                                                  SHA256

                                                                  9c34f3c2a16c88796170f5c2c9ac3a49cda5d897bd6d9e613cf686fdc3df3d75

                                                                  SHA512

                                                                  ed94d5947ea11db449d82a7dc26c5a8b73ac1dc42f10ed4f2af6c9fab753b4ea362d08816f058875ec294ce7a00f31531280a84df732b96d0a4e39cccd1dd2f2

                                                                • C:\Windows\Temp\KMSAuto\bin\KMSSS.exe

                                                                  Filesize

                                                                  34KB

                                                                  MD5

                                                                  be3f826075408b5d6ae7b66a55b4a520

                                                                  SHA1

                                                                  cb2f05c14c75e140dcf68de310be1e9527f8193d

                                                                  SHA256

                                                                  9dcf6e361b22730bae0f425393c8f89a8e92b933637a3009fbd0a598d5eb4418

                                                                  SHA512

                                                                  295eb9c695d25cce3557566eb535c034eaf51de76dfadb9a49533d43d2ccd9735c06106d150c737bbe3d95551850daa08c47c8d16cdbd2874eaacb908211e3f2

                                                                • C:\Windows\Temp\KMSAuto\bin\KMSSS.exe

                                                                  Filesize

                                                                  34KB

                                                                  MD5

                                                                  be3f826075408b5d6ae7b66a55b4a520

                                                                  SHA1

                                                                  cb2f05c14c75e140dcf68de310be1e9527f8193d

                                                                  SHA256

                                                                  9dcf6e361b22730bae0f425393c8f89a8e92b933637a3009fbd0a598d5eb4418

                                                                  SHA512

                                                                  295eb9c695d25cce3557566eb535c034eaf51de76dfadb9a49533d43d2ccd9735c06106d150c737bbe3d95551850daa08c47c8d16cdbd2874eaacb908211e3f2

                                                                • C:\Windows\Temp\KMSAuto\bin\KMSactivator.vbs

                                                                  Filesize

                                                                  82KB

                                                                  MD5

                                                                  1e279e2ef92662bded2c7fd781306a73

                                                                  SHA1

                                                                  70da7979881b6a3b78c655b08de3c2aad8e60a10

                                                                  SHA256

                                                                  a5c143fa70977717f136327938f52d1ad0dab56b1bbecf0d49bd0a985dfad42a

                                                                  SHA512

                                                                  8afac7d4f591fe723d9602b54c508a74f15d6568ad4c01aef8eb9bee1862e5e55166f7f6f30468a0f4ed96031e6ecee67d2bb532e62a0b8c6bf8bf274d6c0fd1

                                                                • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe

                                                                  Filesize

                                                                  13KB

                                                                  MD5

                                                                  91b75bcf59b2de235214ed47be8a99a5

                                                                  SHA1

                                                                  03129cd21f0bec38069fab1aecd69d6c9c80c13c

                                                                  SHA256

                                                                  b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5

                                                                  SHA512

                                                                  85e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b

                                                                • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe

                                                                  Filesize

                                                                  13KB

                                                                  MD5

                                                                  91b75bcf59b2de235214ed47be8a99a5

                                                                  SHA1

                                                                  03129cd21f0bec38069fab1aecd69d6c9c80c13c

                                                                  SHA256

                                                                  b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5

                                                                  SHA512

                                                                  85e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b

                                                                • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

                                                                  Filesize

                                                                  68KB

                                                                  MD5

                                                                  be566e174eaf5b93b0474593cd8f2715

                                                                  SHA1

                                                                  350ca8482be913dd9ca7a279fb5680a884402e26

                                                                  SHA256

                                                                  cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

                                                                  SHA512

                                                                  fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

                                                                • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WinDivert.dll

                                                                  Filesize

                                                                  16KB

                                                                  MD5

                                                                  3f0c03e5076c7e6b404f894ff4dc5bb1

                                                                  SHA1

                                                                  9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

                                                                  SHA256

                                                                  4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

                                                                  SHA512

                                                                  20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

                                                                • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WinDivert.inf

                                                                  Filesize

                                                                  151B

                                                                  MD5

                                                                  a94d989905a248afca52bc3cbfcb248b

                                                                  SHA1

                                                                  cbb7b37584a58060da6a3dd748f17334384647e7

                                                                  SHA256

                                                                  6c9f7dea4f9a47788d5d2ba110b08457fd00dbabe4812ebca6f022300843a75d

                                                                  SHA512

                                                                  864eae03a01ac79917e91913fa7d83847f67f259ce8b5b42853c7ffd9a1f6847b9a4adec4d31a6ec882265fd369214bdbd147c6dc76b89bdf1bb2001046ec43f

                                                                • C:\Windows\Temp\KMSAuto\bin\driver\x64WDV\WinDivert.sys

                                                                  Filesize

                                                                  34KB

                                                                  MD5

                                                                  a0d15d8727d0780c51628df46b7268b3

                                                                  SHA1

                                                                  c85f24ef961db67c829a676a941cbead24c62b21

                                                                  SHA256

                                                                  5e23f3ed1d6620c39a644f9879404a22ded86b3b076ec4a898b4b6be244afd64

                                                                  SHA512

                                                                  a7a6173bc2652d7b45fdc3009d00be9f7d3a9f42ad99cd569bfa2d23902f77866dd3b090f6debb11c802fc85b2230d5321309b0bf50d1dd8665ca8ab19c78361

                                                                • C:\Windows\Temp\KMSAuto\bin_x64.dat

                                                                  Filesize

                                                                  197KB

                                                                  MD5

                                                                  b539aa381715ed2bdec01e33867b1a67

                                                                  SHA1

                                                                  7f71f9adddb2cd532cc311ec2738cced4702c4d5

                                                                  SHA256

                                                                  2d6141d06a6567e60ca4ecbfbf09a912368bbf37420748b515374b366a305cd9

                                                                  SHA512

                                                                  fa3e0f3af5631e828e6c65a2778467b8e842ff553d02b6e6b7f2f982fc9138071aad1972b0e5bf72ea525ecc31ce9e832a42b1cf00da5b7a85e441c0c37f73b6

                                                                • C:\Windows\Temp\KMSAuto\bin_x64.dat

                                                                  Filesize

                                                                  197KB

                                                                  MD5

                                                                  b539aa381715ed2bdec01e33867b1a67

                                                                  SHA1

                                                                  7f71f9adddb2cd532cc311ec2738cced4702c4d5

                                                                  SHA256

                                                                  2d6141d06a6567e60ca4ecbfbf09a912368bbf37420748b515374b366a305cd9

                                                                  SHA512

                                                                  fa3e0f3af5631e828e6c65a2778467b8e842ff553d02b6e6b7f2f982fc9138071aad1972b0e5bf72ea525ecc31ce9e832a42b1cf00da5b7a85e441c0c37f73b6

                                                                • \Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe

                                                                  Filesize

                                                                  13KB

                                                                  MD5

                                                                  91b75bcf59b2de235214ed47be8a99a5

                                                                  SHA1

                                                                  03129cd21f0bec38069fab1aecd69d6c9c80c13c

                                                                  SHA256

                                                                  b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5

                                                                  SHA512

                                                                  85e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b

                                                                • \Windows\Temp\KMSAuto\bin\driver\x64WDV\FakeClient.exe

                                                                  Filesize

                                                                  13KB

                                                                  MD5

                                                                  91b75bcf59b2de235214ed47be8a99a5

                                                                  SHA1

                                                                  03129cd21f0bec38069fab1aecd69d6c9c80c13c

                                                                  SHA256

                                                                  b852614080b267722d1a8201492fcf30bf1904b7fc7ff5084bef8423bc1222e5

                                                                  SHA512

                                                                  85e9175b21cde5e69e74f5a0fbb5b6f7095779a836d5ff4f6ded662c194e6cf6f63fd29f946632ad9d1fd5d4cfe47501f5cc2717e58c8f0b2c7403ee2945d31b

                                                                • \Windows\Temp\KMSAuto\bin\driver\x64WDV\WdfCoInstaller01009.dll

                                                                  Filesize

                                                                  68KB

                                                                  MD5

                                                                  be566e174eaf5b93b0474593cd8f2715

                                                                  SHA1

                                                                  350ca8482be913dd9ca7a279fb5680a884402e26

                                                                  SHA256

                                                                  cee8496bfa1080fd84fc48ba4375625238900fe93ea739b2dc0300206fde8330

                                                                  SHA512

                                                                  fc608acd903daf17250b8ee0f2491458cf06eca9856988fce6b8134f8deb2a3716c3641977d24e3614c9abf344184225bffeeb25212d374988115b15d0ce4b5b

                                                                • \Windows\Temp\KMSAuto\bin\driver\x64WDV\WinDivert.dll

                                                                  Filesize

                                                                  16KB

                                                                  MD5

                                                                  3f0c03e5076c7e6b404f894ff4dc5bb1

                                                                  SHA1

                                                                  9cf99c875e6acd4b12e0eddd5fa51d296ea4998e

                                                                  SHA256

                                                                  4e7ebed8410c83b73a23185aa94680143da2933305cd6deefe8ec0b51b7ee6f3

                                                                  SHA512

                                                                  20de17d511cc1b3f283a28423f5bdfaef36f104d62c33a1da6449c528d1d8e4986afe8ef68e590add9262c3c7441132022a049022d14deba08a8c72e139f78f4

                                                                • memory/1192-2-0x0000000000400000-0x00000000004C2000-memory.dmp

                                                                  Filesize

                                                                  776KB

                                                                • memory/1192-46-0x0000000000400000-0x00000000004C2000-memory.dmp

                                                                  Filesize

                                                                  776KB

                                                                • memory/1192-45-0x0000000000400000-0x00000000004C2000-memory.dmp

                                                                  Filesize

                                                                  776KB

                                                                • memory/1192-6-0x0000000000400000-0x00000000004C2000-memory.dmp

                                                                  Filesize

                                                                  776KB

                                                                • memory/1192-5-0x0000000000400000-0x00000000004C2000-memory.dmp

                                                                  Filesize

                                                                  776KB

                                                                • memory/1192-50-0x0000000000400000-0x00000000004C2000-memory.dmp

                                                                  Filesize

                                                                  776KB

                                                                We care about your privacy.

                                                                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.